Activating HTTPS Listener (Lobster Integration and Admin Console)
The following XML fragment is used to add an HTTPS listener (HTTPS connector) to the current HTTP server in the configuration file ./etc/hub.xml (Lobster Integration) or ./etc/admin.xml (Admin Console) for incoming, SSL-secured requests. Notice the different values of refid for Lobster Integration and the Admin Console.
Version | ./etc/hub.xml | ./etc/admin.xml |
|---|---|---|
Prior to 4.6.9 and as of LDP | Communication and GUI | Admin Console only |
4.6.9 through the end of the 4.6.x branch (new installations only, not updates) | Communication only (e.g., HTTP, AS2) | Admin Console and GUI |
You need a TLS-compatible local certificate (enable the following checkboxes in the certificate dialog: Signing, Encryption, TLS Server, and Signing/Encryption must be supported) integrated in Lobster Integration.
Recommended reference method: In the parameter <Set name="serverCertSubjectName"> , use the notation ksnote:mycertificate, where mycertificate is the value you entered in the Note field of your certificate. This method is preferable to specifying the certificate ID or the Common Name (CN), because the certificate ID changes when your certificate expires and Common Names are not guaranteed to be unique. This way you avoid name conflicts and unnecessary changes to the configuration file. Make sure you use unique values in the Note field.
Note
If the specified certificate is not found, the first suitable certificate found is used automatically. An HTTP listener and an HTTPS listener can run in parallel.
Important
Changes to XML configuration files are only picked up on Integration Server restart. A restart is therefore required after every change.
<!-- SSL support by authentication service, preferred method -->
<!-- =========================================================== -->
<!-- Add a HTTPS Connector. -->
<!-- Configure an o.e.j.server.ServerConnector with connection -->
<!-- factories for TLS (aka SSL) and HTTP to provide HTTPS. -->
<!-- All accepted TLS connections are wired to a HTTP connection.-->
<!-- -->
<!-- Consult the javadoc of o.e.j.server.ServerConnector, -->
<!-- o.e.j.server.SslConnectionFactory and -->
<!-- o.e.j.server.HttpConnectionFactory for all configuration -->
<!-- that may be set here. -->
<!-- =========================================================== -->
<Call id="httpsConnector" name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<!-- Use "MainServer" for Lobster Integration and "AdminServer" for Admin Console -->
<Ref refid="MainServer" />
</Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory">
<New class="com.ebd.hub.server.http.jetty.AuthServiceSSLContextFactory">
<!-- <Set name="serverCertSubjectName">*CN=YourCertificateCommonName*</Set> -->
<!-- <Set name="serverCertSubjectName">certid:1574423144929056</Set> -->
<Set name="serverCertSubjectName">ksnote:mycertificate</Set>
<Call name="addExcludeCipherSuites">
<Arg>
<Array type="String">
<Item>.*NULL.*</Item>
<Item>.*RC4.*</Item>
<Item>.*MD5.*</Item>
<Item>.*DES.*</Item>
<Item>.*DSS.*</Item>
</Array>
</Arg>
</Call>
<Call name="addExcludeProtocols">
<Arg>
<Array type="java.lang.String">
<Item>SSL</Item>
<Item>SSLv2</Item>
<Item>SSLv2Hello</Item>
<Item>SSLv3</Item>
</Array>
</Arg>
</Call>
<Set name="renegotiationAllowed">FALSE</Set>
<Set name="IncludeCipherSuites">
<Array type="String">
<Item>TLS_DHE_RSA.*</Item>
<Item>TLS_ECDHE.*</Item>
</Array>
</Set>
</New>
</Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config">
<Ref refid="sslHttpConfig" />
</Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="port">443</Set>
<Set name="idleTimeout">180000</Set>
</New>
</Arg>
</Call>Forcing HTTPS for Admin Console
To force an HTTPS login for the Admin Console, the following two entries must be edited.
Configuration file ./etc/startup.xml
<!-- admin console: use SSL & port -->
<Call name="setAdminUrlParams"><Arg type="boolean">true</Arg><Arg type="int">443</Arg></Call>Configuration file ./etc/webdefault.xml
<!-- redirect to https -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>Activating HTTPS Listener (DMZ Server)
To enable HTTPS on the DMZ server, perform the same steps in the configuration file /etc/hub.xml on the DMZ server as described above. The certificate specified there is also a certificate from the inner system (Lobster Integration).
Let's Encrypt (Automatic Certificate Handling)
See section Let's Encrypt/ACME/Certbot (to receive and renew certificates from a Certificate Authority free of charge and automatically).